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Everybody Loves 
Containers 


Portability 
Agility 


Density 


What are Containers? 


a u 
Bins/Libs Bins/Libs 


Host Operating System 


Infrastructure 


Ea l cii 


Docker Engine 


Host Operating System 


Bins/Libs Bins/Libs 


Infrastructure 


Provides VM's 
resource isolation but 
is lighter-weight, 
efficient and portable 
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Container Components & Lifecycle 


Docker File Image Image Registry Containers 


Eb 
#Apace Image 
FROM Ubuntu:12.04 
RUN apt-get update 
RUN apt-get install —y ai > 
apache2 
ENV APACHE 
RUN_USER www-dat. 
myApache:2.2:Latest om ’ 


Docker Engine 
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Container Orchestration Tools 


New age of DevOps tools specific to 
containers - enabling deployment and 
management of distributed containers at 
scale 
kubernetes 
Provides: 
a) Resource Management for the 
complete cluster A SWARM 
i . l ARA ache - 
b) Service level management via active sage MESOS 
monitoring ki 
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Container Platforms 
On Premise 
RED HAT’ 


OPENSHIFT boas 


Service’ 


Q PO 
PPIP 
P 


Amazon ECS Amazon EKS 


Cloud 


Q 


Google Cloud 
Container Engine 
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Azure Container Service 


Deployment > a 
Scenario #1 cman lll come 


T T T T T 7 - ! 
Use Case 
ER B 
; i í Guest OS 
1. Shrinking infrastructure, as 


organizations continue ~ 
migration to the cloud O 


2. Containers deployed within 
Virtual Machines Host Operating System 


3. But organizations still have 
the overhead and costs of the 
hypervisor and virtual 
machines 


Hypervisor 


Infrastructure 


Scenario #2 


1. The orchestration battle ends 


with Kubernetes winning 80% 
of the market Ys 


2. But organizations struggle to 


scale their own Kubernetes OE io an 
clusters 


—= 
aw 


Infrastructure 


Deployment 
Scenario #3 


Orchestration-as-a-Service — 
adoption accelerate container 
adoption 


2. Now where do you put 
security? 


al ras a service 


Infrastructure 


Container Visibility & 
Security Challenges — 


Container Lifecycle Challenges 


Container Images 


Container Registry 


— > a > 


What's in the images? 
Vulnerabilities? 
OSS license exposure? 


Solution disruptive to my 
Cl Pipeline? 


Scanning report integrated with 
bug tracking? 


Registry scanning? 
Enforce compliance? 


Vulnerability, package and 
license-based rules? 


Vulnerability impact 
notifications? 


Container Instances 
Infrastructure 


Run 


How to protect host? 


Container engine configured 
correctly? 


Container orchestration 
configured correctly? 


Runtime app visibility? 


Runtime app protection? 
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Qualys Container Security 
Key Uses 


Visibility into your @ Secure the CI/CD pipeline 
container projects >< 
Identify Hosts with Containers. Inventory of Integrate images, vulnerability scans into the 
images, containers. Search images with build. FAIL builds, not allowing unsecure 
vulnerabilities, labels, tags, packages... Build images to enter the stream 


custom widgets. 


Y) Identify threats and impact across 
Container Runtime Protection 


environments A 
Find out if older image versions are still Find what containers are running, know if the 
active. Know all the containers with a runtime got changed from images. Protect 
specific exposed port or from a vulnerable from changes or breakouts. 
image 
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Use Case #1 
Visibility into 
your container 


projects 

Overview Dashboard 
Inventory & security posture widgets 
e Container Hosts 

e Count of images, containers 

e Containers by state 

e Vulnerable images 


Personalize and add custom widgets 


Container Security DASHBOARD ASSETS EVENTS CONFIGURATIONS 


cS v 


® Last30Days Y 


TOTAL IMAGES TOTAL CONTAINERS 


605 


IMAGE DISTRIBUTION BY REGISTRY 


docker.io 


art-hq.intranet.qualys.com:5001 


520985521435.dkr.ecr.ap-southeast-1.amazonaws.... 


ROGUE CONTAINERS (BY SOFTWARE DIFFERENCES) 


New 


Removed 


IMAGE DISTRIBUTION BY VULNERABILITY SEVERITY 


547 


CONTAINER DISTRIBUTION BY ST! 


260 
55 
| 
6 
DELETED RUNI 
ROGUE CONTAINERS (BY VULNER: 
2 Fixed 
2 Varied 


New 


CONTAINER DISTRIBUTION BY VU 


OÁ 
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Know where your ==; 


Dashboard Assets Templates Connectors 


C O n ta i n @ rs El re? Docker Container Hosts Visibility ~ 


ee) CPR 
sh] DOCKER EASYEXPLOIT & PATCHABLE PER SEVE... == DOCKER I 
, . =e 
e Inventory of all Container Hosts 4 en 
across your datacenters, public ‘ — 
clouds, laptops... POEET 
— m => 
e Know how the host vulnerabilities, E E a 
exploits affect your container a sister Count 
environments = =. i 


CONTAINERS 1-10 CONTAINERS 11-20 CONTAINERS 21-30 


Know where your Contal 


AssetView v 


Help v Hari Srinivasan v 


Dashboard Assets Templates Connectors Click here to assign Threat Protection assets 
‘= AssetView Tags Rules 


Log out 


Saved Searches ~ create widget save v Assets 
isDockerHost:"true"| @ Search 1 0 
Group assets by... A v 
g Asset Name os Modules Last Logged-In User Activity Sources Tags 
qcs-g-01 @ Ubuntu Linux 16.04.6 amandern Inventory Scan Complete > Cloud Agent 
$ f si "i ST 


e80:( 506d:7eff:fec1 


— 
qcs-r-1 @ Ubuntu Linux 16.04.6 rt— AssetView Assets 


Saved Searches ~ 


create widget save 


qes-g2 @ Ubuntu Linux 16.04.6 operatingSystem:mac and software.name:docker 


Group assets by. A 
Asset Name os Modules Last Logged-In User Activity 
Servers — Datacenter, 
Clouds, etc.. o 102354mbp15.local Á Mac OS X 10.13.6 mquealy Scan Complete 


0.0.1.105, fe80:0:0:0:1447 


isDockerHost: “true” and 
provider: AWS/Azure/GCP 


101298mbp15.local «@ MacOS X 10.13.6 mwalker Scan Complete 


72.20.0.95 13 hours ago 


{2 


Image Inventory and Smart Searches 


Container Security DASHBOARD ASSETS EVENTS CONFIGURATIONS India Naccount (quays_nn) 


Containers 


Search based 
on all attributes 


vulnerabilities.severity:"Severity 5” and repo.registry:"docker.io” 


68 1-50 of 68 


Total Images 


docker.io elasticsearch Feb 06, 2018 [retest 0 Z 


Image Id: 7b3c18d8f363 On Hosts: 1 —— a] 
ý . 
Preset quick ree docker.io redis Feb 06, 2018 | latest 1 3 Im age | nfo 
q NGINX Docker M... 3 Image Id: de560ba5403e On Hosts: 1 = é . . f 
: OSGi rn sting. 1 Registry info 
search filters GPLv2 1 docker.io kibana Feb 06, 2018 f latest 0 3 . 
/Dockerfile 1 Image Id: 9ef680b9e227 On Hosts: 1 — =m * Co ntainers for 
- Identif ct 1 a 
y CentOS Base Ima... 1 docker.io node Feb 01, 2018 [ latest 0 3 this im age 
images by eo : ina = l bili 
Bad-Dockerfile e 
appl ication Centos 1 docker.io httpd Jan 26, 2018 I latest 1 3 Vu nerabl ity 
Reference Docke. 1 Image Id: 2e202f453940 On Hosts: 1 = post ure ? 
labels Https://Github.C. 1 r 
Show less creure EEEN = . 
Image Id: e25e00S5ebec1 On Hosts: 1 Oo =m * Easy drill down 
REGISTRY CSE solr Jan 19,2018 [latest 0 14 for complete 
Docker.lo 68 Image Id: 0ee0d104030e On Hosts: 2 ee . 
Art-Ha.Intranet.Q... 1 inventory 
docker.io tomcat Jan 18, 2018 f latest 0 13 
VULNERABILITIES Image Id: 66bbed06c8cd On Hosts: 1 <= | 
a Le docker.io kibana Jan 17, 2018 I latest 0 10 
Seventy 4 os Image Id: 6ded4c70c32d On Hosts: 1 Í 
Severity 3 59 
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Use Case #2 
Secure the 
CI/CD pipeline 


Block vulnerable images 
in the build 


TESTS 


, pm 
ins Bamboo Ea 


ForAte ee QUALYS 
DEVELOPERS NY O OO VULNERABILI 


* TeamCity, CircleCl - Support coming soon 


Actionable Vulnerability Information 


Jenkins pipeline-project #78 Qualys Report For e8d112f7588 
© Qualys BUILD REPORT - e8d112ff7588 
Build Summary 
Ô Build Status: Failed Image ID: e8d112ff7588 
Vulnerabilities 
Tags: latest Size: 828 MB 


Installed Software 


Layers Build Summary 


The vulnerabilities count by severity for image id e8d112ff7588 exceeded one of the configured threshold value 


Configured : Severity 1 > 0; Severity 2 > 0; Severity 3 > 0; Severity 4 > 0; Severity 5 > 0; 
Found : Severity 1: 0, Severity 2: 1, Severity 3: 11, Severity 4: 2, Severity 5: 0 


Vulnerabilities Trend Confirmed Vulnerabilities (10) 


20 
w R 


10 E Sev 5 (0) 
| E Sev 4 (1) Qualys Report For e8d112ff7588 Ey 


E Sev 3 (9) 
E Sev 2 (0) 
o— — 


Sev 1 (0) 
Sev5  Sev4 Sev2  Sev1 


E Confirmed vulnerabilities in r i I N S TA L LED S O FT WA R E 


Comparing with build #77 
Show 10 entries Search: ‘ai 76259] 


Potential Vulnerabilities (4) Patchability Name Installed Version Fixed In Version 
g libmagickwand-dev Ay 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
E Sev 5 (0) E Yes (12) j 6. P pi . E 
E Sev 4 (1) Now) libmagickwand-6-headers A 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
E Sev 3 (2) 
E Sev 2 (1) libmagickcore-dev A 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
Sev 1 (0) 
libmagickcore-6-headers A 86. 9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
imagemagick-6.q16 Ay 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
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Use Case #3 


Detect Threats and 
Impact 


Identify the threat from a Summary 
. Quick Summary of the Image 
vulnerable image 


e Tag: 
Size: 917.32 MB 


Vulnerabilities 


16 
94% 
6% 


Confirmed 15 
Potential 1 


Repository Name: dockersam ples/exam. 
Docker Version: 17.04.0-ce-rc2 


Associated Containers 


33% Running 1 
67% Stopped 2 


View list based on same vulnerabilities 


< Image Details: dockersamples/examplevotingapp_worker 


View Mode Vulnerabilities 


Select the severity you would like to review by: 


Summary 


Image Information 


Close Vuln list X 


Associations severity: [5,4,3] 


Installed Software 
Vulnerabilities 


Layers 
176027 


Know other images and 176034 


containers impacted by 


the vulnerability 


Quick Actions 


View QID Details 


View Vuln Details 


Q View Images with this vulnerability 


View Containers with this vulnerability 


Debian Security Update for git (DSA 3848-1) 
a month ago 


Debian Security Update for shadow (DSA 3793-2) 
a month ago 


Debian Security Update for perl (DSA 3873-1) 


a month ago 


Debian Security Update for glibc (DSA 3887-1) (Sta... 
a month ago 


Debian Security Update for subversion (DSA 3932-1) 
a month ago 


Debian Security Update for git (DSA 3934-1) 
a month ago 


CVE-2017-8386 


CVE-2017-6512 


CVE-2017-1000366 


CVE-2016-8734 


CVE-2017-1000117 


1-150f 15 


2 


2 
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Use Case #4 


Runtimes Drifts & 


Protection 


Detect Containers breaking 
off from “immutable” 
behavior 


and Block/Kill/Quarantine 
them. 


Image Associations 


Hom) 


Q 


CONTAINERS 
SSS 


IE RUNNING 
STOPPED 


| RUNNING 


21 days ago 


STOPPED 
21 days ago 


STOPPED 
21 days ago 


Mar 22, 2018 


Dec 19, 2017 


Dec 19, 2017 


[Z View full list 


ROGUE CONTAINERS BY TYPE @ 


3 


2 J Vulnerability 1 Software 

Both 0 
ea90cb120a88 qwbqadocker2 
demoapplicationshqworker.1.0win 10.11.61.54 
e8f6c2d60aa9 qwbqadocker2 
demoapplicationshq_worker.1.mo6: 10.11.61.54 
2ac2753c040a qwbqadocker2 
demoapplicationshq_worker.1.gcx8 10.11.61.54 


1-30f 3 


Containers breaking off from the 


immutable behavior 
Qualys. 


t Activity Monitor polo: Date Range [iS] Last 7 Days 
a 
2 
£ 
m € 
~ Top 10 Containers and Images by Activity = 
© Containe 
v € 
A o 
Containers Images = 
CEES 5 
= 
Nam Anomal 


EEEa oe eee i 

RONEN www eee WD 

host:prod-load286 . ot thilhllin E E . sas Drill down to the 
maou ew eee WD details, 

aardi epee a . 2... Wh. @——@  dentify activity in the 
service: ssi ha ii . .... WN. containers 

PE a Wl... 2... 
ia eres | |e 
pac alana ww eee WN 
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4 Dashboard 
© Images 

[da Vulnerabilities 
© Containers 


W Policies 


Xt Settings 


Metrics Activity Monitor Topology 


Container Details 


Date Range 


Last 7 Days v 


Just now 


sys_read i 


sys_write al 


sys_close | 


1 
sys_stat g | 


sys_fstat E 


sys_Istat li 


sys_writev 


sys_pipe 


{Q Dashboard 


on Metrics Activity Monitor Topology Date Range Last 7 Days v © 
images ee 


[da Vulnerabilities 
Event Details @ 
© Containers 


W Policies * 


Just now 5 minutes ago 


Xt Settings 


Process /usr/sbin/httpd was blocked from executing /bin/sh. Severity: High 


Raw log: 


Process Process ID Call Arguments Action Time 
/ust/sbin/httpd 31 sys_execve /bin/sh Deny 11/13/2018, 12:48:23AM 
Processes executing /usr/sbin/httpd: 


e /usr/sbin/httpd 


Processes accessing /usr/sbin/httpd: 


e /usr/sbin/httpd 


Qualys Container Security 


Build 


Software Composition 
Vulnerability Analysis 
OSS License Analysis 


Integration with Cl 
Pipelines 


Bug Tracking Integration 


Ship 


Registry Scanning 
Compliance Controls 
Vulnerability, Package and 


License-based Rules 


Real-time Vulnerability 
Impact Notifications 


> 


Host Protection 


Container Engine 
Benchmarking 


Container Orchestration 
Benchmarking 


Deep Runtime Visibility 


Runtime Protection 


Q Qualys 


Qualys Container Security 


Protection for container infrastructure 


Host Protection CIS Benchmarks 


Accurate insight and control 


Scanning & Compliance of container images 


, Automated analysis and 
Visibility & Protection 


enforcement of container behavior 
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Qualys ‘Container Security’ Sensor Options 


Qualys-Layered Insight 


Qualys Container Sensor 
Embedded option 


Side-car* 
@ OQ E) C) O O O 
© O O O O O O 
æ] =) >) =) =) =) =) 
at fr at EP + er ot 
© Q, gv, Q Q, v, v, Q 
5 D =) =) =) =) =) 
OD OD OD OD D O O 
am aa SN EN, moe FIN be 


* Qualys side-car to ‘all’ containers on the node. Runs today as non-privileged. 
As features of compliance and enforcements are added the mode will change 


to Privileged, with option to revert to non-privileged 
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Sensors for every use case 


PRE-DEPLOYMENT PHASE POST-DEPLOYMENT PHASE 


f hi i we = are z 2 © 
„e DamDOoO E Azure Pe E A i. A © PS 


BUILD » REGISTRY ) RUNTIME ) HOST 


Cloud Agent or 


Container Sensor 9 Layered In Sensor* 
“ci x T i Scanner Appliances 
Side Car © 5 and Container aa 

"®© Sensor** 


* Layered In option for runtime protection 
** Prevention from starting off malicious containers 
© Qualys. 
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